def audit(policy):
    # The following list is obtained from Policy Sentry via the following code.
    # This is done to avoid pulling in Policy Sentry and its requirements which adds ~50MB to this library.
    """
    from policy_sentry.shared.database import connect_db
    from policy_sentry.querying.actions import get_actions_with_access_level

    db_session = connect_db("bundled")
    permissions_management_actions = get_actions_with_access_level(
        db_session, "all", "Permissions management"
    )
    permissions_management_actions_normalized = [
        x.lower() for x in permissions_management_actions
    ]
    permissions_management_actions = permissions_management_actions_normalized
    """

    permissions_management_actions = [
        "acm-pca:createpermission",
        "acm-pca:deletepermission",
        "backup:deletebackupvaultaccesspolicy",
        "backup:putbackupvaultaccesspolicy",
        "chime:deletevoiceconnectorterminationcredentials",
        "chime:putvoiceconnectorterminationcredentials",
        "cloudformation:setstackpolicy",
        "cloudsearch:updateserviceaccesspolicies",
        "codebuild:deleteresourcepolicy",
        "codebuild:deletesourcecredentials",
        "codebuild:importsourcecredentials",
        "codebuild:putresourcepolicy",
        "codestar:associateteammember",
        "codestar:createproject",
        "codestar:deleteproject",
        "codestar:disassociateteammember",
        "codestar:updateteammember",
        "cognito-identity:createidentitypool",
        "cognito-identity:deleteidentities",
        "cognito-identity:deleteidentitypool",
        "cognito-identity:getid",
        "cognito-identity:mergedeveloperidentities",
        "cognito-identity:setidentitypoolroles",
        "cognito-identity:unlinkdeveloperidentity",
        "cognito-identity:unlinkidentity",
        "cognito-identity:updateidentitypool",
        "connect:getfederationtoken",
        "connect:getfederationtokens",
        "deeplens:associateserviceroletoaccount",
        "ds:createconditionalforwarder",
        "ds:createdirectory",
        "ds:createidentitypooldirectory",
        "ds:createmicrosoftad",
        "ds:createtrust",
        "ds:sharedirectory",
        "ec2:createnetworkinterfacepermission",
        "ec2:deletenetworkinterfacepermission",
        "ec2:modifysnapshotattribute",
        "ec2:modifyvpcendpointservicepermissions",
        "ec2:resetsnapshotattribute",
        "ecr:setrepositorypolicy",
        "elasticmapreduce:putblockpublicaccessconfiguration",
        "es:createelasticsearchdomain",
        "es:updateelasticsearchdomainconfig",
        "gamelift:requestuploadcredentials",
        "glacier:abortvaultlock",
        "glacier:completevaultlock",
        "glacier:deletevaultaccesspolicy",
        "glacier:initiatevaultlock",
        "glacier:setdataretrievalpolicy",
        "glacier:setvaultaccesspolicy",
        "glue:deleteresourcepolicy",
        "glue:putresourcepolicy",
        "greengrass:associateserviceroletoaccount",
        "health:describehealthservicestatusfororganization",
        "health:disablehealthserviceaccessfororganization",
        "health:enablehealthserviceaccessfororganization",
        "iam:addclientidtoopenidconnectprovider",
        "iam:addroletoinstanceprofile",
        "iam:addusertogroup",
        "iam:attachgrouppolicy",
        "iam:attachrolepolicy",
        "iam:attachuserpolicy",
        "iam:changepassword",
        "iam:createaccesskey",
        "iam:createaccountalias",
        "iam:creategroup",
        "iam:createinstanceprofile",
        "iam:createloginprofile",
        "iam:createopenidconnectprovider",
        "iam:createpolicy",
        "iam:createpolicyversion",
        "iam:createrole",
        "iam:createsamlprovider",
        "iam:createservicelinkedrole",
        "iam:createservicespecificcredential",
        "iam:createuser",
        "iam:createvirtualmfadevice",
        "iam:deactivatemfadevice",
        "iam:deleteaccesskey",
        "iam:deleteaccountalias",
        "iam:deleteaccountpasswordpolicy",
        "iam:deletegroup",
        "iam:deletegrouppolicy",
        "iam:deleteinstanceprofile",
        "iam:deleteloginprofile",
        "iam:deleteopenidconnectprovider",
        "iam:deletepolicy",
        "iam:deletepolicyversion",
        "iam:deleterole",
        "iam:deleterolepermissionsboundary",
        "iam:deleterolepolicy",
        "iam:deletesamlprovider",
        "iam:deletesshpublickey",
        "iam:deleteservercertificate",
        "iam:deleteservicelinkedrole",
        "iam:deleteservicespecificcredential",
        "iam:deletesigningcertificate",
        "iam:deleteuser",
        "iam:deleteuserpermissionsboundary",
        "iam:deleteuserpolicy",
        "iam:deletevirtualmfadevice",
        "iam:detachgrouppolicy",
        "iam:detachrolepolicy",
        "iam:detachuserpolicy",
        "iam:enablemfadevice",
        "iam:passrole",
        "iam:putgrouppolicy",
        "iam:putrolepermissionsboundary",
        "iam:putrolepolicy",
        "iam:putuserpermissionsboundary",
        "iam:putuserpolicy",
        "iam:removeclientidfromopenidconnectprovider",
        "iam:removerolefrominstanceprofile",
        "iam:removeuserfromgroup",
        "iam:resetservicespecificcredential",
        "iam:resyncmfadevice",
        "iam:setdefaultpolicyversion",
        "iam:setsecuritytokenservicepreferences",
        "iam:updateaccesskey",
        "iam:updateaccountpasswordpolicy",
        "iam:updateassumerolepolicy",
        "iam:updategroup",
        "iam:updateloginprofile",
        "iam:updateopenidconnectproviderthumbprint",
        "iam:updaterole",
        "iam:updateroledescription",
        "iam:updatesamlprovider",
        "iam:updatesshpublickey",
        "iam:updateservercertificate",
        "iam:updateservicespecificcredential",
        "iam:updatesigningcertificate",
        "iam:updateuser",
        "iam:uploadsshpublickey",
        "iam:uploadservercertificate",
        "iam:uploadsigningcertificate",
        "imagebuilder:getcomponentpolicy",
        "imagebuilder:putcomponentpolicy",
        "imagebuilder:putimagepolicy",
        "imagebuilder:putimagerecipepolicy",
        "iot:attachpolicy",
        "iot:attachprincipalpolicy",
        "iot:detachpolicy",
        "iot:detachprincipalpolicy",
        "iot:setdefaultauthorizer",
        "iot:setdefaultpolicyversion",
        "iotsitewise:createaccesspolicy",
        "iotsitewise:deleteaccesspolicy",
        "iotsitewise:listaccesspolicies",
        "iotsitewise:updateaccesspolicy",
        "kms:creategrant",
        "kms:createkey",
        "kms:putkeypolicy",
        "kms:retiregrant",
        "kms:revokegrant",
        "lakeformation:batchgrantpermissions",
        "lakeformation:batchrevokepermissions",
        "lakeformation:grantpermissions",
        "lakeformation:putdatalakesettings",
        "lakeformation:revokepermissions",
        "lambda:addlayerversionpermission",
        "lambda:addpermission",
        "lambda:disablereplication",
        "lambda:enablereplication",
        "lambda:removelayerversionpermission",
        "lambda:removepermission",
        "license-manager:updateservicesettings",
        "lightsail:getinstanceaccessdetails",
        "lightsail:getrelationaldatabasemasteruserpassword",
        "logs:deleteresourcepolicy",
        "logs:putresourcepolicy",
        "mediapackage:rotateingestendpointcredentials",
        "mediastore:deletecontainerpolicy",
        "mediastore:putcontainerpolicy",
        "opsworks:setpermission",
        "opsworks:updateuserprofile",
        "ram:acceptresourceshareinvitation",
        "ram:associateresourceshare",
        "ram:createresourceshare",
        "ram:deleteresourceshare",
        "ram:disassociateresourceshare",
        "ram:enablesharingwithawsorganization",
        "ram:rejectresourceshareinvitation",
        "ram:updateresourceshare",
        "rds:authorizedbsecuritygroupingress",
        "rds-db:connect",
        "redshift:authorizesnapshotaccess",
        "redshift:createclusteruser",
        "redshift:createsnapshotcopygrant",
        "redshift:getclustercredentials",
        "redshift:joingroup",
        "redshift:modifyclusteriamroles",
        "redshift:revokesnapshotaccess",
        "s3:bypassgovernanceretention",
        "s3:deleteaccesspointpolicy",
        "s3:deletebucketpolicy",
        "s3:objectowneroverridetobucketowner",
        "s3:putaccesspointpolicy",
        "s3:putaccountpublicaccessblock",
        "s3:putbucketacl",
        "s3:putbucketpolicy",
        "s3:putbucketpublicaccessblock",
        "s3:putobjectacl",
        "s3:putobjectversionacl",
        "secretsmanager:deleteresourcepolicy",
        "secretsmanager:putresourcepolicy",
        "sns:addpermission",
        "sns:createtopic",
        "sns:removepermission",
        "sns:settopicattributes",
        "sqs:addpermission",
        "sqs:createqueue",
        "sqs:removepermission",
        "sqs:setqueueattributes",
        "ssm:modifydocumentpermission",
        "sso:associatedirectory",
        "sso:associateprofile",
        "sso:createapplicationinstance",
        "sso:createapplicationinstancecertificate",
        "sso:createpermissionset",
        "sso:createprofile",
        "sso:createtrust",
        "sso:deleteapplicationinstance",
        "sso:deleteapplicationinstancecertificate",
        "sso:deletepermissionset",
        "sso:deletepermissionspolicy",
        "sso:deleteprofile",
        "sso:disassociatedirectory",
        "sso:disassociateprofile",
        "sso:importapplicationinstanceserviceprovidermetadata",
        "sso:putpermissionspolicy",
        "sso:startsso",
        "sso:updateapplicationinstanceactivecertificate",
        "sso:updateapplicationinstancedisplaydata",
        "sso:updateapplicationinstanceresponseconfiguration",
        "sso:updateapplicationinstanceresponseschemaconfiguration",
        "sso:updateapplicationinstancesecurityconfiguration",
        "sso:updateapplicationinstanceserviceproviderconfiguration",
        "sso:updateapplicationinstancestatus",
        "sso:updatedirectoryassociation",
        "sso:updatepermissionset",
        "sso:updateprofile",
        "sso:updatessoconfiguration",
        "sso:updatetrust",
        "sso-directory:addmembertogroup",
        "sso-directory:createalias",
        "sso-directory:creategroup",
        "sso-directory:createuser",
        "sso-directory:deletegroup",
        "sso-directory:deleteuser",
        "sso-directory:disableuser",
        "sso-directory:enableuser",
        "sso-directory:removememberfromgroup",
        "sso-directory:updategroup",
        "sso-directory:updatepassword",
        "sso-directory:updateuser",
        "sso-directory:verifyemail",
        "storagegateway:deletechapcredentials",
        "storagegateway:setlocalconsolepassword",
        "storagegateway:setsmbguestpassword",
        "storagegateway:updatechapcredentials",
        "waf:deletepermissionpolicy",
        "waf:getchangetoken",
        "waf:putpermissionpolicy",
        "waf-regional:deletepermissionpolicy",
        "waf-regional:getchangetoken",
        "waf-regional:putpermissionpolicy",
        "wafv2:createwebacl",
        "wafv2:deletewebacl",
        "wafv2:updatewebacl",
        "worklink:updatedevicepolicyconfiguration",
        "workmail:resetpassword",
        "workmail:resetuserpassword",
        "xray:putencryptionconfig",
    ]

    actions = policy.get_allowed_actions()

    permissions_management_actions_in_policy = []
    for action in actions:
        if action in permissions_management_actions:
            permissions_management_actions_in_policy.append(action)
    if len(permissions_management_actions_in_policy) > 0:
        policy.add_finding(
            "PERMISSIONS_MANAGEMENT_ACTIONS",
            location={"actions": permissions_management_actions_in_policy},
        )
